This is a putative class action lawsuit against Take-Two, the video game publisher. Plaintiffs allege that the “MyPlayer” feature on NBA 2K15 violated Illinois’ biometric information privacy statute. The feature allowed players to upload a face-scan and then use a version of that scan as their avatar in certain multiplayer games. Specifically, plaintiffs allege that Take-Two (1) failed to obtain consent; (2) disseminated biometric data without consent; (3) failed to provide details regarding the purpose or term of storage or use of the information, or an applicable retention schedule; and (4) failed to comply with appropriate security measures by transmitting the scans via standard wireless connections.

The district court dismissed on Article III standing grounds. The Second Circuit affirms.

Citing Spokeo, the Second Circuit looks at circumstances where plaintiffs have standing for “procedural violations” of a privacy law. In order to establish standing based on procedural violations, the plaintiffs must establish that (1) the legislature created the procedural right to protect plaintiff’s “concrete interests” as to the harms in question, and (2) the procedural violation presents a real risk of harm to this interest.

The parties agreed that the decisive issue was the second one. So the court assumes without deciding that the Illinois statute seeks to prevent the unauthorized collection, use, or disclosure of a person’s biometric data. The court says that none of the procedural violations raise a “material risk of harm” to this interest.

As for the lack of consent, the court says plaintiffs voluntarily participated: “[n]o reasonable person . . . would believe that the MyPlayer feature was conducting anything other than a scan.” Plaintiffs do not “plausibly” assert that if they were more directly advised, they would have withheld consent (or declined the feature).

The court says the same is true of Take-Two’s failure to disclose the duration of the scan’s storage or guidelines for its destruction. Plaintiffs merely argued they were not advised of this but didn’t actually take issue with Take-Two’s policies. Interestingly, the court says this also presents a consent issue.

The court says Take-Two’s violation of the statute’s data-security provisions presents a tougher question. The statute says covered entities have to store and transmit biometric data in a way that is “protective” and commensurate with their handling of other “confidential and sensitive information.” Plaintiffs argued Take-Two’s transmission of the information via the “open, commercial internet” violated the statute. However, the court says that plaintiffs’ allegation even failed to allege an increased material risk. The injury plaintiffs point to was that they would be deterred from using similar technologies and fearful of such transactions in the future. The court says this is not the risk of harm that would qualify (even assuming that the risk of harm alone would be sufficient).

Finally, the court says dismissal should be without prejudice. Where a court dismisses for lack of Article III standing, the court actually lacks subject matter jurisdiction.

__

We’ve seen a flurry of lawsuits based on the Illinois statute relied on by plaintiffs here. The Shutterfly lawsuit linked below was brought by a non-user and survived a motion to dismiss. (It looks like it’s in the middle of discovery.) This case was brought by a user and is a much tougher one to make. It’s tough to argue subterfuge as to the process of the face-scan itself. As the court notes, when undergoing the scan, participants must:

hold their faces within 6 to 12 inches of the camera and slowly turn their heads 30 degrees to the left and to the right during the scanning process .The process . . . takes about 15 minutes.

Once consent is removed from the mix and there’s no misuse outside the entity that took the scan, plaintiffs are left to argue “bare procedural violations”. As the Supreme Court helpfully explained in Spokeo, bare procedural violations are often not actionable, and the court concludes that is the case here. Plaintiffs complaints regarding purging and storage are reminiscent of the arguments Video Privacy Protection Act plaintiffs raised regarding the treatment of their viewing records. A failure to purge in that context is tough to turn into something actionable.

The court’s closing statement about the data security practices of Take-Two are worth noting. It’s unclear whether the court was referring to the process that occurs at the player’s location or at Take-Two internally. But with the increasing prevalence of data breaches and theft, companies would be wise to pay heed to their security practices when dealing with this type of information.